On the 2nd of May it is World Password Day, each year on the first Thursday in May, World Password Day promotes better password habits.
With this in mind, we want to provide some useful hints and tips on how you can stay safe online with 7 examples of password positive habits.
Since the pandemic, working from home has become the norm for a number of businesses and its employees, whether you work on a hybrid or fully remote basis, working outside of an office environment can create some cybersecurity challenges.
If you do not work from home, it is still important to stay as safe as possible while online, as we regularly use passwords to access online banking, social media accounts, shopping channels such as Amazon or eBay, dating sites and much more.
1) Using a strong password is essential for defending against cyberattacks. We recommend using a password between 15 to 20 characters including letters and numbers.
Where possible, use a mix of alphabetical and numeric, a mixture of upper and lowercase, and special characters such as ! or ?.
Try to avoid passwords which could be guessable, these include birthdays, names, favourite artists, or sports teams. A password needs to be as random and unique as possible, but one you will remember.
Your work should be able to set your device to update passwords as regularly as needed, but if not, you should consider updating any passwords at least every other month, but it is imperative that they are not repeats of previous passwords you have used.
If you set your own passwords, it could be worth using a password manager, like Nordpass or Keeper, to store your information safely. A password manager is a computer program which stores and manages all your online passwords for your online services such as email accounts, accounting software, online shops, social media and much more.
2) Do not use the same username and password for all accounts/websites. Not only is it bad practice, but it also opens your device up to credential stuffing attacks. Stuffing is a cyberattack method in which attackers use lists of compromised user credentials to breach into a system.
Automation bots are used, as they understand that many users will reuse their usernames and passwords across multiple websites for ease and without realising the risks involved.
Not only are you vulnerable to bot attacks, but any acquaintances who know your ‘likes’, ‘information about you’ have a better chance of accessing your accounts, which leads onto point 3.
3) Do not share your password with other people. This should be common sense, but never discuss your passwords with anyone as you have no control over who uses it, where they use it, how they use it, or who they share it with and if they are trustworthy.
If you receive an email or text from your bank (or anyone similar) and they ask for your password, do not provide it, your bank will never ask you for your password details, so providing details could open you up to a cyberattack.
4) Suspicious. phishing and scam emails. If you have received an email which you are not sure about, do not open it. Check the sender details and contact information within the email to see if it looks authentic. The email may also have bad spelling or grammar, come from an unusual email address, or feature imagery which does not feel quite right, as they are trying to mimic a genuine company.
As of Jan 2024, over 24 million email scams have been reported in the UK. The main goal is to is to make you visit a website, which may download a virus onto your computer, or ask you to input your password into a website to steal your bank details or other personal information. The websites often look extremely similar to the authentic site, but with minor changes, making it extremely difficult to spot that you are not on a genuine website.
Scam emails tend to come from a company you trust, such as your bank, HMRC, a GP or an online store. If ever in doubt call the company to confirm they have sent you the email. Never use the contact details provided within the email, as these can link to a fraudulent call centre/number.
Remember emails should never ask you for your credentials or to sign into a linked website.
Moving forward:
- Report a scam to help others from falling foul to criminal activity -https://www.ncsc.gov.uk/collection/phishing-scams/report-scam-email
- Block the address the email came from, so you will no longer receive emails from this sender.
- If WFH, contact your IT manager or internet service provider so they can work with your hosting company to remove links to malicious websites.
5) Use multi-factor authentication. MFA enables you to add an additional layer or two of security, as you will be required to verify your log in access. This may be a one-time code sent to your phone which you need to input, an email being sent to a secondary address with a code, or a link sent to an app on your mobile.
With One-Time-Passwords a new code is generated each time an authentication request is submitted.
MFA reduces the chances of an unauthorised user accessing any of your accounts as they may penetrate the first layer of security but will be unable to move forward.
If your MFA is ‘answers to personal security questions,’ make sure your answers are difficult to guess and not common answers.
Again, this is important for both working from home and for general internet use.
6) Test Your Password. You can check if your password is strong enough by testing it with an online testing tool e.g. Microsoft’s password strength testing tool. The tester provides the user with feedback to help improve the strength of their passwords, focusing on breaking typical bad password habits.
7) Avoid storing your passwords. Avoid storing passwords on paper or digitally (unless it is within a password manager), as information can be stolen.
Online criminals and scammers look for easy targets, so it is essential to take basic precautions. We hope that you have found our ‘Best Password Practice’ blog useful and informative.